Difference between revisions of "Managing SSL Certificates"

From LongJump Support Wiki
imported>Aeric
imported>Aeric
Line 9: Line 9:


'''To create a Certificate Signing Request (CSR)'''
'''To create a Certificate Signing Request (CSR)'''
#Create a keystore and a private key:
:1. Create a keystore and a private key:
#:<tt>cd {install_dir}/tomcat/conf/RN</tt>
::{|
#:<pre>keytool -genkey -alias tomcat -keyalg RSA -keystore {keystore_filename}</pre>
<pre>cd {install_dir}/tomcat/conf/RN
#Create a CSR from the keystore
keytool -genkey -alias tomcat -keyalg RSA -keystore {keystore_filename}</pre>
#:<pre>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
|}
              -keystore {keystore_filename}</pre>
#The result is a file: <tt>certreq.csr</tt>, which can be submitted to the CA


Once you have obtained a certificate from the CA, in addition to your certificate, the CA might provide an Chain/Root Certificate, which must be installed/imported into the keystore created in the previous section.
:2. Create a CSR from the keystore
::{|
<pre>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
              -keystore {keystore_filename}
</pre>
|}
 
The resulting file, <tt>certreq.csr</tt>, is submitted to the CA to obtain a certificate. Once you have obtained a certificate, you need to import into the keystore. (In addition to your certificate, the CA might provide an Chain/Root Certificate, which must also be imported.)


'''To Install the Certificate'''
'''To Install the Certificate'''


*If you have received the chain certificate from the (CA), complete #1 - #3:
:*If you have received the chain certificate from the (CA), do each of the steps below.
*If you have NOT received the chain certificate from the (CA), complete #3 only:
:*If you have NOT received the chain certificate from the (CA), do step #3 only:
 
Install/import the chain certificate:
:1. Copy the contents of the chain certificate into a file called <tt>chain</tt>
 
:2. Import the chain certificate into your keystore:
::{|
<pre>keytool -import -alias root -keystore {keystore_filename}
              -trustcacerts -file chain
</pre>
|}


#Install/import the chain certificate: Copy the contents of the chain certificate into a file called <tt>chain</tt>
:3. Import the certificate received from the CA:
#Import the chain certificate into your keystore:
::{|
#:<pre>keytool -import -alias root -keystore {keystore_filename}
<pre>keytool -import -alias tomcat -keystore {keystore_filename}  
              -trustcacerts -file chain</pre>
               -trustcacerts -file {certificate_filename}
#Import the certificate received from the CA:
</pre>
#:<pre>keytool -import -alias tomcat -keystore {keystore_filename}  
|}
               -trustcacerts -file <certificate filename ></pre>


====Replacing the Default SSL Certificate====
====Replacing the Default SSL Certificate====

Revision as of 22:52, 23 June 2011

Managing SSL Certificates

Obtaining an SSL Certificate

The platform provides a default self-signed certificate which is used by the Application Server.

To obtain and install your own SSL Certificate, make a request to a Certificate Authority (CA). An SSL certificate authenticates a website to a web browser, part of a security protocol to manage secure data exchange.

The CA will accept your Certificate Signing Request and generate a certificate which identifies your website as a secured website.

To create a Certificate Signing Request (CSR)

1. Create a keystore and a private key:
cd {install_dir}/tomcat/conf/RN
keytool -genkey -alias tomcat -keyalg RSA -keystore {keystore_filename}
2. Create a CSR from the keystore
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr 
               -keystore {keystore_filename}

The resulting file, certreq.csr, is submitted to the CA to obtain a certificate. Once you have obtained a certificate, you need to import into the keystore. (In addition to your certificate, the CA might provide an Chain/Root Certificate, which must also be imported.)

To Install the Certificate

  • If you have received the chain certificate from the (CA), do each of the steps below.
  • If you have NOT received the chain certificate from the (CA), do step #3 only:

Install/import the chain certificate:

1. Copy the contents of the chain certificate into a file called chain
2. Import the chain certificate into your keystore:
keytool -import -alias root -keystore {keystore_filename} 
               -trustcacerts -file chain
3. Import the certificate received from the CA:
keytool -import -alias tomcat -keystore {keystore_filename} 
               -trustcacerts -file {certificate_filename}

Replacing the Default SSL Certificate

To replace the certificate:

  1. Add the new certificate to this directory:
    {install_dir}/tomcat/conf/RN
  2. Edit {install_dir}/tomcat/conf/server.xml file
  3. Replace the following line:
    keystoreFile="conf/RN/thirdParty" keystorePass="algrsa"
    with:
    keystoreFile="conf/RN/your_certficate_file_name"
    keystorePass="your_password_for_certificate_store"
  4. Save the file
  5. Restart the application server

The Application Server will now use your certificate file for communication over https.

Learn More

  • Certificate Signing Request (CSR) Generation Instructions-Tomcat, at

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227